Introduction

In this lab, we step into the role of a Security Operations Center (SOC) analyst tasked with investigating suspicious activity on a compromised web server. The challenge revolves around analyzing system logs, identifying unauthorized access, detecting attacker behavior, and uncovering security misconfigurations that may have facilitated the breach. By leveraging various Linux command-line tools, we will examine authentication logs, firewall configurations, network activity, and package installation records to reconstruct the attack timeline and determine the extent of the compromise.

The lab primarily focuses on endpoint forensics, requiring a deep dive into system logs to trace attacker movements. We will analyze SSH login attempts, detect brute-force attacks, investigate firewall rule modifications, and review database security warnings. Additionally, we will explore Apache access logs to identify potential web-based threats and determine how attackers interacted with the server. By following a structured forensic methodology, we will gather key insights into the attacker’s tactics, techniques, and procedures (TTPs), helping us strengthen future security defenses.

Throughout this walkthrough, we will demonstrate how to use essential tools like grep, awk, sed, and firewall management utilities to extract meaningful information from logs. The investigation will highlight the importance of monitoring system activity, enforcing strong authentication policies, and proactively securing critical services.